fix: Replace unsafe FFI with safe nix wrapper and add apt-get failure logging

[Copilot]

Addresses two security module code review findings: unsafe FFI call for privilege checking and silent apt-get update failures.

Changes

• scheduler.rs: Replace unsafe { libc::geteuid() == 0 } with nix::unistd::geteuid().is_root()

  • Add platform guards (#[cfg(unix)] / #[cfg(not(unix))])
  • Add nix crate dependency with user feature

• patcher.rs: Log apt-get update failures instead of silent suppression

  • Warn on non-zero exit status with stderr output
  • Warn on command execution failures
  • Add log::warn import

• License headers: Convert /** to /* in all security modules to fix Rust E0753 doc comment conflicts

• Dependencies: Align rusqlite to workspace version, add Serialize/Deserialize to PatchStrategy and ScheduleFrequency enums

// Before (unsafe)
fn is_root() -> bool {
    unsafe { libc::geteuid() == 0 }
}

// After (safe)
#[cfg(unix)]
fn is_root() -> bool {
    geteuid().is_root()
}

// Before (silent failure)
let _ = Command::new("apt-get").args(["update", "-qq"]).output();

// After (logged failure)
match Command::new("apt-get").args(["update", "-qq"]).output() {
    Ok(output) if !output.status.success() => {
        warn!("apt-get update failed with status: {}. Package cache may be stale.", output.status);
    }
    Err(e) => warn!("Failed to execute apt-get update: {}. Package cache may be stale.", e),
    _ => {}
}

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud